From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH] audit=0 appears not to completely disable auditing
Date: Wed, 26 Sep 2007 12:52:10 -0400
Message-ID: <1190825530.3453.1.camel@dhcp231-215.rdu.redhat.com>
References: <200703091550.11104.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200703091550.11104.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: viro@ftp.linux.org.uk
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Al,

What happened with this patch, it does not appear to have made it into
the audit tree.  We are still outputting audit messages (through
dmesg/syslog) even when audit is turned off.

-Eric


On Fri, 2007-03-09 at 15:50 -0500, Steve Grubb wrote:
> Hi,
> 
> There was a bz, 231371, reporting that current upstream kernels do not completely
> disable auditing when boot with audit=0 and the audit daemon not configured to
> run. You can reproduce the problem by:
> 
> service auditd stop
> auditctl -e 0
> auditctl -w /etc/passwd
> and you'd get an event in syslog:
> Mar  9 15:43:04 localhost kernel: audit(1173472984.321:982): auid=4294967295
> subj=user_u:system_r:auditctl_t:s0 op=add rule key=(null) list=4 res=1
> 
> The patch below solves this problem by checking audit_enabled before creating
> an audit event.
> 
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> 
> 
> diff -urp linux-2.6.18.x86_64.orig/kernel/audit.c linux-2.6.18.x86_64/kernel/audit.c
> --- linux-2.6.18.x86_64.orig/kernel/audit.c	2007-03-09 14:08:18.000000000 -0500
> +++ linux-2.6.18.x86_64/kernel/audit.c	2007-03-09 14:06:59.000000000 -0500
> @@ -238,46 +238,50 @@ void audit_log_lost(const char *message)
>  
>  static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
>  {
> -	int old	= audit_rate_limit;
> +	if (audit_enabled) {
> +		int old	= audit_rate_limit;
>  
> -	if (sid) {
> -		char *ctx = NULL;
> -		u32 len;
> -		int rc;
> -		if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> -			return rc;
> -		else
> -			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +		if (sid) {
> +			char *ctx = NULL;
> +			u32 len;
> +			int rc;
> +			if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> +				return rc;
> +			else
> +				audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
>  				"audit_rate_limit=%d old=%d by auid=%u subj=%s",
> -				limit, old, loginuid, ctx);
> -		kfree(ctx);
> -	} else
> -		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> -			"audit_rate_limit=%d old=%d by auid=%u",
> -			limit, old, loginuid);
> +					limit, old, loginuid, ctx);
> +			kfree(ctx);
> +		} else
> +			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +				"audit_rate_limit=%d old=%d by auid=%u",
> +				limit, old, loginuid);
> +	}
>  	audit_rate_limit = limit;
>  	return 0;
>  }
>  
>  static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
>  {
> -	int old	= audit_backlog_limit;
> +	if (audit_enabled) {
> +		int old	= audit_backlog_limit;
>  
> -	if (sid) {
> -		char *ctx = NULL;
> -		u32 len;
> -		int rc;
> -		if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> -			return rc;
> -		else
> -			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +		if (sid) {
> +			char *ctx = NULL;
> +			u32 len;
> +			int rc;
> +			if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> +				return rc;
> +			else
> +				audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
>  			    "audit_backlog_limit=%d old=%d by auid=%u subj=%s",
> -				limit, old, loginuid, ctx);
> -		kfree(ctx);
> -	} else
> -		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> -			"audit_backlog_limit=%d old=%d by auid=%u",
> -			limit, old, loginuid);
> +					limit, old, loginuid, ctx);
> +			kfree(ctx);
> +		} else
> +			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +				"audit_backlog_limit=%d old=%d by auid=%u",
> +				limit, old, loginuid);
> +	}
>  	audit_backlog_limit = limit;
>  	return 0;
>  }
> @@ -289,21 +293,23 @@ static int audit_set_enabled(int state, 
>  	if (state != 0 && state != 1)
>  		return -EINVAL;
>  
> -	if (sid) {
> -		char *ctx = NULL;
> -		u32 len;
> -		int rc;
> -		if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> -			return rc;
> -		else
> -			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +	if (audit_enabled || state) {
> +		if (sid) {
> +			char *ctx = NULL;
> +			u32 len;
> +			int rc;
> +			if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> +				return rc;
> +			else
> +				audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
>  				"audit_enabled=%d old=%d by auid=%u subj=%s",
> -				state, old, loginuid, ctx);
> -		kfree(ctx);
> -	} else
> -		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> -			"audit_enabled=%d old=%d by auid=%u",
> -			state, old, loginuid);
> +					state, old, loginuid, ctx);
> +			kfree(ctx);
> +		} else
> +			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +				"audit_enabled=%d old=%d by auid=%u",
> +				state, old, loginuid);
> +	}
>  	audit_enabled = state;
>  	return 0;
>  }
> @@ -317,21 +323,23 @@ static int audit_set_failure(int state, 
>  	    && state != AUDIT_FAIL_PANIC)
>  		return -EINVAL;
>  
> -	if (sid) {
> -		char *ctx = NULL;
> -		u32 len;
> -		int rc;
> -		if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> -			return rc;
> -		else
> -			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +	if (audit_enabled) {
> +		if (sid) {
> +			char *ctx = NULL;
> +			u32 len;
> +			int rc;
> +			if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
> +				return rc;
> +			else
> +				audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
>  				"audit_failure=%d old=%d by auid=%u subj=%s",
> -				state, old, loginuid, ctx);
> -		kfree(ctx);
> -	} else
> -		audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> -			"audit_failure=%d old=%d by auid=%u",
> -			state, old, loginuid);
> +					state, old, loginuid, ctx);
> +			kfree(ctx);
> +		} else
> +			audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
> +				"audit_failure=%d old=%d by auid=%u",
> +				state, old, loginuid);
> +	}
>  	audit_failure = state;
>  	return 0;
>  }
> @@ -536,22 +544,26 @@ static int audit_receive_msg(struct sk_b
>  			if (err < 0) return err;
>  		}
>  		if (status_get->mask & AUDIT_STATUS_PID) {
> -			int old   = audit_pid;
> -			if (sid) {
> -				if ((err = selinux_ctxid_to_string(
> -						sid, &ctx, &len)))
> -					return err;
> -				else
> +			if (audit_enabled) {
> +				int old   = audit_pid;
> +				if (sid) {
> +					if ((err = selinux_ctxid_to_string(
> +							sid, &ctx, &len)))
> +						return err;
> +					else
> +						audit_log(NULL, GFP_KERNEL,
> +							AUDIT_CONFIG_CHANGE,
> +				"audit_pid=%d old=%d by auid=%u subj=%s",
> +							status_get->pid, old,
> +							loginuid, ctx);
> +					kfree(ctx);
> +				} else
>  					audit_log(NULL, GFP_KERNEL,
>  						AUDIT_CONFIG_CHANGE,
> -						"audit_pid=%d old=%d by auid=%u subj=%s",
> -						status_get->pid, old,
> -						loginuid, ctx);
> -				kfree(ctx);
> -			} else
> -				audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
>  					"audit_pid=%d old=%d by auid=%u",
> -					  status_get->pid, old, loginuid);
> +						status_get->pid, old,
> +						loginuid);
> +			}
>  			audit_pid = status_get->pid;
>  		}
>  		if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
> diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c
> --- linux-2.6.18.x86_64.orig/kernel/auditfilter.c	2007-03-09 14:08:18.000000000 -0500
> +++ linux-2.6.18.x86_64/kernel/auditfilter.c	2007-03-09 14:05:54.000000000 -0500
> @@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
>  /* Inotify events we care about. */
>  #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
>  
> +extern int audit_enabled;
> +
>  void audit_free_parent(struct inotify_watch *i_watch)
>  {
>  	struct audit_parent *parent;
> @@ -897,7 +899,6 @@ static void audit_update_watch(struct au
>  	struct audit_watch *owatch, *nwatch, *nextw;
>  	struct audit_krule *r, *nextr;
>  	struct audit_entry *oentry, *nentry;
> -	struct audit_buffer *ab;
>  
>  	mutex_lock(&audit_filter_mutex);
>  	list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
> @@ -937,13 +938,18 @@ static void audit_update_watch(struct au
>  			call_rcu(&oentry->rcu, audit_free_rule_rcu);
>  		}
>  
> -		ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> -		audit_log_format(ab, "op=updated rules specifying path=");
> -		audit_log_untrustedstring(ab, owatch->path);
> -		audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
> -		audit_log_format(ab, " list=%d res=1", r->listnr);
> -		audit_log_end(ab);
> -
> +		if (audit_enabled) {
> +			struct audit_buffer *ab;
> +			ab = audit_log_start(NULL, GFP_KERNEL,
> +				AUDIT_CONFIG_CHANGE);
> +			audit_log_format(ab,
> +				"op=updated rules specifying path=");
> +			audit_log_untrustedstring(ab, owatch->path);
> +			audit_log_format(ab, " with dev=%u ino=%lu\n",
> +				 dev, ino);
> +			audit_log_format(ab, " list=%d res=1", r->listnr);
> +			audit_log_end(ab);
> +		}
>  		audit_remove_watch(owatch);
>  		goto add_watch_to_parent; /* event applies to a single watch */
>  	}
> @@ -962,25 +968,28 @@ static void audit_remove_parent_watches(
>  	struct audit_watch *w, *nextw;
>  	struct audit_krule *r, *nextr;
>  	struct audit_entry *e;
> -	struct audit_buffer *ab;
>  
>  	mutex_lock(&audit_filter_mutex);
>  	parent->flags |= AUDIT_PARENT_INVALID;
>  	list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
>  		list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
>  			e = container_of(r, struct audit_entry, rule);
> -
> -			ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
> -			audit_log_format(ab, "op=remove rule path=");
> -			audit_log_untrustedstring(ab, w->path);
> -			if (r->filterkey) {
> -				audit_log_format(ab, " key=");
> -				audit_log_untrustedstring(ab, r->filterkey);
> -			} else
> -				audit_log_format(ab, " key=(null)");
> -			audit_log_format(ab, " list=%d res=1", r->listnr);
> -			audit_log_end(ab);
> -
> +			if (audit_enabled) {
> +				struct audit_buffer *ab;
> +				ab = audit_log_start(NULL, GFP_KERNEL,
> +					AUDIT_CONFIG_CHANGE);
> +				audit_log_format(ab, "op=remove rule path=");
> +				audit_log_untrustedstring(ab, w->path);
> +				if (r->filterkey) {
> +					audit_log_format(ab, " key=");
> +					audit_log_untrustedstring(ab,
> +							r->filterkey);
> +				} else
> +					audit_log_format(ab, " key=(null)");
> +				audit_log_format(ab, " list=%d res=1",
> +					r->listnr);
> +				audit_log_end(ab);
> +			}
>  			list_del(&r->rlist);
>  			list_del_rcu(&e->list);
>  			call_rcu(&e->rcu, audit_free_rule_rcu);
> @@ -1409,6 +1418,9 @@ static void audit_log_rule_change(uid_t 
>  {
>  	struct audit_buffer *ab;
>  
> +	if (!audit_enabled)
> +		return;
> +
>  	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
>  	if (!ab)
>  		return;
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit